Problem solve Get help with specific problems with your technologies, process and projects.

What's the best strategy to catch up on HIPAA compliance quickly?

Learn how to build a good compliance program for HIPAA in order to protect patient information and avoid fines and penalties.

Since HIPAA regulations have never been enforced (until recently), management has let our HIPAA compliance efforts fall woefully behind. What's the best place to start so that we can become compliant as quickly as possible?
There's a long road in front of you, but better late than never. The best place to start is with a mandate from the executive team declaring that HIPAA is now a priority. Without the support of management, your efforts will be an exercise in futility.

The essentials of any good compliance program can be broken down into the following broad categories: management support, knowledge, documentation, education and controls.

Assuming the compliance program has management support, the next step involves working with the various business units to identify what data falls under HIPAA regulations, who has access to it and what controls are in place to protect it. This is also a prime time to review the existing security and privacy policies.

Once a baseline is established, it's time to move into the documentation phase. Documentation is key, as it will enable you to cleanly communicate to upper management where any deficiencies lie in the existing data protection program and justify the necessary changes that will bring the company into compliance.

This brings us to education. For a compliance program to be successful, everyone involved needs to understand what the requirements are (policies, procedures, etc.) and why they are important, as well as the consequences of non-compliance. In the case of HIPAA, there is also a mandate to notify patients and customers of their rights, and employees need to understand that process as well.

The final category is controls. These are documented methods for ensuring that data stays where it is supposed to. While some of these will be technology oriented (firewalls, encryption, DLP, etc.), a good portion will also be process oriented (need to know, log reviews, manual audits, written permission for data sharing) and physical controls (locks, safes, document destruction).

Hopefully, once you've documented the company's current position and properly educated management about deficiencies, they will approve the necessary funding and changes so you can start working on the plan for remediation. Good luck!

More information:

This was last published in November 2008

Dig Deeper on HIPAA

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.